APPROXIMATING SAML USING SIMILARITY BASED IMPRECISION
|
|
- Muriel Bradley
- 8 years ago
- Views:
Transcription
1 APPROXIMATING SAML USING SIMILARITY BASED IMPRECISION Guillermo Navarro 1, and Simon N. Foley 2 1 Dept. of Information and Communications Engineering, Universitat Aut onoma de Barcelona, Bellaterra, Spain gnavarro@ccd.uab.es 2 Dept. of Computer Science, University College, Cork, Ireland s.foley@cs.ucc.ie Abstract Keywords: With the increasing complexity of networked systems has come the trade-off of security versus functionality; a strictly secured system is often an unusable system. As a consequence, users often entirely bypass security in order to get their job done. We consider how similarity techniques that are used by casebased reasoning systems can be used to provide a degree of control over how strictly/precisely security is enforced. The flexibility to be able to meaningfully control how strictly security is enforced is especially relevant in the emerging Web Services architectures, where a wide variety of different users and heterogeneous systems use a common framework to interoperate with a wide variety of different resources and services. The paper proposes similarity-based imprecision security (SBIS) for the Security Assertion Markup Language (SAML) as an approach to managing security in a web-services environment. Imprecise security, SAML, Case-Based Reasoning, access control. 1. Introduction Traditional research on protection systems has focused on finding a system that can provide absolute security. That is, systems where only properly authorised actions can take place. By properly authorised we mean that the actions need to be absolutely classified, identified, authenticated, an so forth. Modern computer systems have become very complex. Many users may wish to interact and/or use many resources, which may be distributed across a network. Enforcing security across these systems becomes correspondingly complex and, if strictly enforced, can lead to an unusable system.
2 2 End users regularly fail to appreciate the security decisions that they must make because they barely understand the security policy in force, let alone how security mechanisms may interoperate. Users tend to deliberately ignore or bypass security to get their work done. For example, it is a common practice for users to deliberately share or disclose passwords to facilitate system access (Adams and Sasse, 1999). Large enterprises such as governments, academic centres or big corporations, have many formal rules and regulations. In practice, enterprises work by relying upon social networks and unwritten rules, which are often contrary to the written rules. After all, a strategy used by employees to pressure management in labour disputes is to work to rule (Odlyzko, 2003). An example of the potential for complex security rules is the Secure Assertion Markup Language (SAML) that is used to express security information in Web Services and Grid. The use of overly strict security policies by Web Services will more than likely lead to security being bypassed by administrators in their effort to provide continuing service. We use approximation techniques from the area of Case Based Reasoning to provide a degree of control over how strictly a security policy is enforced. Rather than the conventional all-ornothing security, our approach can be regarded as providing a security dial that controls the degree of strictness of security enforcement that the system is willing to tolerate. In this paper we describe how these approximation techniques can be used in a practical way in SAML based applications, such as web services. Section 2 motivates and describes related work. In Section 3 we describe similaritybased imprecise security. Section 4 describes how it is integrated with existing SAML-based frameworks and Sections 5 and 6 describe the extension of SAML to support imprecision information in practice. Section 7 concludes the paper. 2. Motivation and Related Work Empirical studies reveal that security systems are failing to provide usable applications, from simple password-based systems (Adams and Sasse, 1999; Yan et al., 2004), to complex access control systems (Zurko and Simon, 1996). Existing research on the usability of security systems has mainly focused on user interfaces. While providing a better user interface may be an excellent solution for some systems, it is not necessarily the solution to more usable and secure systems (Whitten and Tygar, 1999; Smetters and Grinter, 2002). In this paper we propose the use of a different approach to achieve more usability in security systems, by reconsidering how security decisions are taken. We consider an imprecise security system, where the decision engine can take into account the similarity between security related information. Imprecise se-
3 curity introduces more flexibility in protection systems. Imprecision is defined in terms of similarity of authorisation: for example, how similar is root access in Unix to administrator access in Windows? Rather than all-or-nothing security, imprecision provides degrees of security, which can be viewed as a a security dial. Turning the dial up, results in the system becoming closer to a very strict security system (in some sense more secure); turning the dial down relaxes security enforcement, permitting more imprecision (in some sense less secure). Some applications of imprecise security are: Overcome complexity in large organisations. Large organisations impose many administrative rules which can be counterproductive; employees deliberately bypass the rules to do their job. An absolute security system does not allow its employees to bypass the rules. To avoid bureaucracy, users stop using the system whenever possible, or else use it incorrectly (for example, sharing passwords or private keys). Emergency situations. Some emergency situations may require relaxing the security measures of a system. This security downgrading should be achieved in a fast and controlled way. For example, a doctor isolated in an hospital during a tropical storm, needs to access the records of a patient from another department, doctor or hospital. Heterogeneous systems. Interoperability of heterogeneous systems require the use of security information from one system to another, or reuse security policies between different environments. Due to the different nature and technologies of the different systems it may be impossible to provide an isomorphic mapping between them. Similarity measures provide degrees of imprecision that can allow a practical mapping to be defined. Providing degrees of flexibility in security enforcement has been studied to a limited extent in the literature. In (Rissanen et al., 2004), the authors introduce the notion of override in access control policies. An access control request can be denied with the possibility of override. If the user agrees, the system allows the access under the audit of some authority. Our approach differs from this by providing, in effect, greater flexibility in defining how authorisations may be overridden. (Povey, 2000) proposes an optimistic security model that assumes that every access is legitimate and should be granted under the basis that the system can rollback illegitimate actions. We believe that in practice it would not be feasible to undo all illegitimate actions, and some minimum security should be provided. Nevertheless, while not following the dictum Make the user ask for forgiveness not permission (Blakley, 1996), our proposal does adopt some optimistic security model principles (see Section 3). 3
4 4 The research described in this paper builds on the suggestion in (Foley, 2002) that similarity measures could be used to provide imprecision in delegation for trust management systems. Supporting imprecision for information retrieval systems has been extensively considered in the literature on similaritybased retrieval for Case-Based Reasoning (CBR) systems (Aamodt and Plaza, 1994). Imprecision permits answers that may not formally meet the query condition, but can be considered close enough. The contribution of this paper is a consideration of how imprecision techniques can be used in a practical setting, and in particular, how similarity can be usefully introduced to SAML and supported within Web Services and Grid architectures. 3. Similarity-based Imprecise Security Systems We define a similarity-based imprecision security system or SBIS system, as a security system, where the security decisions take into account the similarity between permissions, attributes, authorisations, or other security-related information. SBIS Characteristics In general, a system that supports SBIS has the following characteristics. Accountability: given the imprecision supported by the system, there needs to be some guaranties of accountability. In SBIS, accountability may be achieved by strong authentication of the principals. Whether this authentication is provided by means of a centralised authority such as a PKI or not, will depend on the specific scenario, environment, and configuration of the system. Auditability: in order to provide accurate postmortem analysis of the system s operations. All operations permitted under similarity constraints should be logged in detail, so they can be analysed to study possible irregularities. Constrained entry points: as stated in (Povey, 2000), exceeding privilege should be a rarity, rather than a norm. If most of the actions need to be checked through the SBIS security check because they do not pass the absolute security check (see Figure 1), it is a symptom that the system is not properly set up. Deterrents: as in many access control systems, it is interesting to have mechanisms to punish principals who misbehave. This punishment can be economic or simply, restricting access permissions during a period of time (recall, Make the user ask for forgiveness not permission ).
5 Least intrusive: one of the main ideas behind SBIS, is for it to be easy to integrate within existing security systems. SBIS systems can use any type of security related information, permissions, authorisations, security policies, rules, and so forth, as long as a similarity function is provided between them. Similarity Similarity is equivalent to the dual distance concept from a mathematical point of view, and has been successfully applied in CBR systems. There are several similarity function types and families, for instance, there are boolean, numeric or partial order (including lattices) functions. Boolean functions may be easily emulated with numeric functions if required, and a variety of numeric similarity values can be expressed or normalised to the domain [0, 1], including R {, + }. For the sake of simplicity, we consider only numeric similarity values. For a good review of lattice based metrics see (Osborne and Bridge, 1997). Broadly speaking, a similarity function (denoted as ) takes two arguments from a set of features P (permissions, attributes, etc.) and returns a similarity value: : (P P ) [0, 1] Similarity functions are reflexive (x x = 1 x P ), and symmetric (x y = y x x, y P ). The similarity function is applied to a concrete feature or to a set of features. In the CBR literature, there are some generic similarity functions such as the weighted nearest neighbour, induction, lattice based metric, or the similarity matrix. In some cases one can compose functions or create specific ones. 5 Table 1. Sample similarity matrix. und phd prof und phd prof For example, Table 1 defines a simple similarity matrix between three roles: undergraduate student (und), PhD student (phd), and professor (prof ). Similarity threshold The similarity threshold is the threshold for which a given similarity value is accepted. We denote the similarity threshold as δ. For instance, suppose an SBIS system where some action requires a permission p, but the user does
6 6 not hold such permission. The SBIS engine should look for a permission p held by the user such that it is similar to p with a similarity value greater than the similarity threshold: p p p δ. The similarity threshold can be either static or dynamic. An static similarity threshold cannot be changed during execution time, while a dynamic similarity threshold can change its value during execution-time giving cause for a security dial. 4. Integration of SBIS in current SAML frameworks An interesting issue is how an SBIS system could be integrated into an existing access control system, without having to introduce major modifications in the system. Our approach is to reuse the main components of an existing system. For instance, permissions, authorisations, attributes, and so on as provided in SAML assertions. We consider the use of SAML in a generic access control scenario as described in Figure 1. It involves a Policy Decision Point (PDP), which can take SAML assertions as the input to the access control decision, and a Policy Enforcement Point, which controls the access to a given service or resource. Figure 1. SBIS Consider a set of SAML assertion statements P, with a partial order. Suppose that a given access request requires permission p and that the user making the request holds a set of statements Q. Then, the decision process could be summarised as: Absolute security check: if q Q q p then permit, otherwise SBIS check. SBIS check: if q Q q p δ then permit, otherwise deny. 5. Expressing SBIS in SAML assertions SAML provides a standard XML framework for exchanging security information between online business partners (OASIS, 2005). It is a well known standard applied in numerous industry products.
7 Security information is exchanged in form of assertions. SAML provides three types of assertion statements: Authentication, Attribute, and Authorisation Decision. Broadly speaking an assertion has an issuer, a subject or subjects, some conditions that express the validity specification of the assertion, and the statement (one or more). The assertion may be signed by the issuer. Similarity-based assertion We apply similarity functions to the SAML statements and their elements. For example, an authorisation decision includes the resource and the action of the authorisation. An authority may provide an authorisation decision assertion in terms of similarity between resources or actions, under some similarity threshold. We introduce a new optional element contained by the SAML statement element called SbisInfo to provide SBIS-related information. Note that this information cannot be provided in the condition element of the assertion because it makes reference to the whole assertion, while a single assertion can provide more than one statement for the same subject. 7 <element name="sbis:sbisinfo" type="sbis:sbisinfotype"/> <complextype name="sbis:sbisinfotype"> <sequence> <element name="sbis:threshold" type="double"/> <element name="sbis:source" type="id" minoccurs="0"/> <element name="sbis:function" type="sbis:sbisfunctiontype" minoccurs="0"/> <element name="sbis:history" type="sbis:sbishistorytype" minoccurs="0"/> </sequence> </complextype> <complextype name="sbis:sbisfunctiontype"> <sbis:element ref="cbml:similarity"/> </complextype> <complextype name="sbis:sbishistorytipe"> <element ref="saml:assertionuriref" maxoccurs="unbounded"/> </complextype> Figure 2. SbisInfo XML Schema definition. This SbisInfo element contains a sequence the following elements: threshold: the value of the threshold when the assertion was declared. If it is numeric, it will have to be normalised to the interval [0, 1]. source: optional element indicating the source of the similarity check, which is used to decide whether to trust the assertion or not. It will normally be the issuer of the assertion but this may not always be the case.
8 8 function: the function used to calculate the similarity. This function is described using CBML (Case Based Markup Language) (Hayes and Cunningham, 1999), as described in Section 3. history: a sequence of URI references to assertions used to evaluate and issue this assertion. They may be used to verify the similarity constrains by a third party. A simplified W3C s XML Schema definition of the SbisInfo element can be seen in Figure 2, which provides an extension of the current SAML assertion Schema (version 2.0). There, we denote the SAML namespace as saml, the CBML namespace as cbml, and the SBIS one as sbis. <Assertion xmlns="urn:oasis:names:tc:saml:2.0:assertion" xmlns:ds=" Version="2.0" ID=" IssueInstant=" T16:30:00.173Z"> <Conditions NotBefore=" T16:30:00.173Z" NotOnOrAfter=" T16:30:00.173Z"/> <Issuer> </Issuer> <Subject> <NameID NameQualifier=" Alice </NameID> </Subject> <AuthzDecisionStatement Resource=" Decision="Permit"> <Action>read</Action> <SbisInfo> <threshold>0.5</threshold> <source> <function>...</function> <history>...</history> </SbisInfo> </AuthzDecisionStatement> <ds:signature>...</ds:signature> </Assertion> Figure 3. SAML Assertion example. Figure 3 shows an example of a simplified SAML authorisation assertion with SBIS information. Expressing the similarity function In order to express the similarity function, we use CBML, which is a generic XML-based language for CBR. This language can describe generic similarity functions (Coyle et al., 2004).
9 It is important to note the relevance of being able to express similarity functions in a common and standard way. An authority which provides some kind of attribute, can also provide the similarity function for its attributes. The authority will be the principal with more knowledge about the attribute, thus the expert who can provide the best similarity function. The similarity function, also serves as a proof to third parties of how the similarity was calculated. It includes the features used to calculate the similarity and how were they calculated. 6. Practical considerations When a SAML asserting party or authority generates an assertion under similarity constraints the assertion includes the relevant information regarding the similarity threshold, similarity function and references to assertions used during the decision process. This information, together with the digital signature of the assertion is crucial for third parties that have to evaluate the assertion. The SBIS information encoded within the assertion is sufficient to avoid the cascading problem (Foley, 2002). For example, given the example of the similarity function in Table 1, for the roles: undergraduate student (und), PhD student (phd), and professor (prof ). Consider that Alice has an attribute assertion issued by a recognised authority Chancellor. If we consider a decision point with a similarity threshold δ = 0.5, Alice will be able hold the phd role (und phd = 0.7), but not the prof role (und prof = 0.2). In some situations Alice may ask the decision point to issue a new assertion stating that she can hold the role phd to use the assertion in another access request for example. But note that then, she could use such assertion to gain privileges for the role prof, since phd prof = 0.5. While this is a simplistic example, the cascading problem must be dealt with carefully in more complex situations. To avoid cascades, when Alice asks the decision point to issue the second assertion, this assertion will have all the information previously commented. Thus, the receiver is able to evaluate and track the similarity constraints used to issue the assertion. In (Foley, 2002) a specific solution for the cascading problem is provided. While providing an elegant solution, it requires an a priori knowledge of the similarity functions involved in the similarity-based decision (including future ones). In this paper we provide a more generic solution. One could use the assertion to compare it to a new attribute assertion (such as age) and provide a new different similarity function. 7. Conclusions This paper discusses the relevance and motivation for allowing a controlled degree of imprecision in security decision engines. This degree is based on the 9
10 10 similarity between security related information such as permissions, attributes, etc. resulting in similarity based imprecision security (SBIS) systems. We introduced SBIS capabilities in SAML, which is a widely adopted standard in Web Services and Grid. SBIS is not intended for high security or critical systems but systems where usability is a key point. Empirical studies demonstrate that currently, absolute security systems are failing to do their job. SBIS can provide enough flexibility to the system and at the same time it can ensure some degree of security. Acknowledgments The work of G. Navarro has been partially funded by the Spanish Ministry of Science and Technology (MCYT) though the project TIC References Aamodt, A. and Plaza, E. (1994). Case-based reasoning: Foundational issues, methodological variations, and system approaches. AICom- Artificial Intelligence Communications, 7(1). Adams, A. and Sasse, M. A. (1999). Users are not the enemy. Commun. ACM, 42(12). Blakley, B. (1996). The emperor s old armor. In Proceedings of the 1996 workshop on New security paradigms. Coyle, L., Doyle, D., and Cunningham, P. (2004). Representing similarity for CBR in XML. In Advances in Case-Based Reasoning (Procs. of the Seventh European Conference). Foley, S. N. (2002). Supporting imprecise delegation in keynote using similarity measures. In Proceedings of International Security Protocols Workshop. Hayes, C. and Cunningham, P. (1999). Shaping a CBR view with XML. In Proceedings of the Third International Conference on Case-Based Reasoning and Development, ICCBR-99. OASIS (2005). Assertions and Protocols for the OASIS Secure Assertion Markup Language (SAML) v2.0. sstc-saml-core-2.0-cd-04, Committee Draft 04. Odlyzko, A. (2003). Economics, psychology, and sociology of security. In Financial Cryptography: 7th International Conference. Osborne, H. and Bridge, D. (1997). Models of similarity for case-based reasoning. In Procs. of the Interdisciplinary Workshop on Similarity and Categorisation. Povey, D. (2000). Optimistic security: a new access control paradigm. In Proceedings of the 1999 Workshop on New Security Paradigms. Rissanen, E., Firozabadi, B. Sadighi, and Sergot, M. (2004). Towards a mechanism for discretionary overriding of access control. In 12th International Workshop on Security Protocols. Smetters, D. K. and Grinter, R. E. (2002). Moving from the design of usable security technologies to the design of useful secure applications. In Proceedings of the 2002 Workshop on New Security Paradigms. Whitten, A. and Tygar, J. D. (1999). Why Johnny Can t Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium. Yan, J., Blackwell, A., Anderson, R., and Grant, A. (2004). Password memorability and security: Empirical results. IEEE Security & privacy, 2(5). Zurko, M. E. and Simon, R. T. (1996). User-centered security. In Proceedings of the 1996 Workshop on New Security Paradigms.
OpenHRE Security Architecture. (DRAFT v0.5)
OpenHRE Security Architecture (DRAFT v0.5) Table of Contents Introduction -----------------------------------------------------------------------------------------------------------------------2 Assumptions----------------------------------------------------------------------------------------------------------------------2
More informationA Federated Authorization and Authentication Infrastructure for Unified Single Sign On
A Federated Authorization and Authentication Infrastructure for Unified Single Sign On Sascha Neinert Computing Centre University of Stuttgart Allmandring 30a 70550 Stuttgart sascha.neinert@rus.uni-stuttgart.de
More informationDesign and Implementaion of a Single Sign-On Library Supporting SAML (Security Assertion Markup Language) for Grid and Web Services Security
Design and Implementaion of a Single Sign-On Library Supporting SAML (Security Assertion Markup Language) for Grid and Web Services Security Dongkyoo Shin, Jongil Jeong, and Dongil Shin Department of Computer
More informationExtending XACML for Open Web-based Scenarios
Extending XACML for Open Web-based Scenarios Claudio A. Ardagna 1, Sabrina De Capitani di Vimercati 1, Stefano Paraboschi 2, Eros Pedrini 1, Pierangela Samarati 1, Mario Verdicchio 2 1 DTI - Università
More informationSWIFT: Advanced identity management
SWIFT: Advanced identity management Elena Torroglosa, Alejandro Pérez, Gabriel López, Antonio F. Gómez-Skarmeta and Oscar Cánovas Department of Information and Communications Engineering University of
More informationOIO SAML Profile for Identity Tokens
> OIO SAML Profile for Identity Tokens Version 1.0 IT- & Telestyrelsen October 2009 Content > Document History 3 Introduction 4 Related profiles 4 Profile Requirements 6 Requirements 6
More informationSecurity Issues for the Semantic Web
Security Issues for the Semantic Web Dr. Bhavani Thuraisingham Program Director Data and Applications Security The National Science Foundation Arlington, VA On leave from The MITRE Corporation Bedford,
More informationSingle Sign-On Scheme using XML for Multimedia Device Control in Children s Game Network based on OSGi service Platform
Single Sign-On Scheme using XML for Multimedia Device Control in Children s Game Network based on OSGi service Platform Dongkyoo Shin and Dongil Shin Department of Computer Engineering, Sejong University
More informationUsing Authority Certificates to Create Management Structures
Using Authority Certificates to Create Management Structures Babak Sadighi Firozabadi 1, Marek Sergot 2, and Olav Bandmann 1 1 Swedish Institute of Computer Science (SICS) {babak,olav}@sics.se 2 Imperial
More informationCHAPTER 1 INTRODUCTION
1 CHAPTER 1 INTRODUCTION 1.1 Introduction Cloud computing as a new paradigm of information technology that offers tremendous advantages in economic aspects such as reduced time to market, flexible computing
More informationDocuSign Single Sign On Implementation Guide Published: March 17, 2016
DocuSign Single Sign On Implementation Guide Published: March 17, 2016 Copyright Copyright 2003-2016 DocuSign, Inc. All rights reserved. For information about DocuSign trademarks, copyrights and patents
More informationPrivacy-preserving Digital Identity Management for Cloud Computing
Privacy-preserving Digital Identity Management for Cloud Computing Elisa Bertino bertino@cs.purdue.edu Federica Paci paci@cs.purdue.edu Ning Shang nshang@cs.purdue.edu Rodolfo Ferrini rferrini@purdue.edu
More informationOn XACML, role-based access control, and health grids
On XACML, role-based access control, and health grids 01 On XACML, role-based access control, and health grids D. Power, M. Slaymaker, E. Politou and A. Simpson On XACML, role-based access control, and
More informationIAM Application Integration Guide
IAM Application Integration Guide Date 03/02/2015 Version 0.1 DOCUMENT INFORMATIE Document Title IAM Application Integration Guide File Name IAM_Application_Integration_Guide_v0.1_SBO.docx Subject Document
More informationAlliance AES Key Management
Alliance AES Key Management Solution Brief www.patownsend.com Patrick Townsend Security Solutions Criteria for selecting a key management solution for the System i Key Management is as important to your
More informationWeb Services Security with SOAP Security Proxies
Web Services Security with Security Proxies Gerald Brose, PhD Technical Product Manager Xtradyne Technologies AG OMG Web Services Workshop USA 22 April 2003, Philadelphia Web Services Security Risks! Exposure
More informationDigital Signature Web Service Interface
1 2 Digital Signature Web Service Interface 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 1 Introduction This document describes an RPC interface for a centralized
More informationAuthorization-Authentication Using
School of Computing Science, University of Newcastle upon Tyne Authorization-Authentication Using XACML and SAML Jake Wu and Panos Periorellis Technical Report Series CS-TR-907 May 2005 Copyright c 2004
More informationCloud-based Identity and Access Control for Diagnostic Imaging Systems
Cloud-based Identity and Access Control for Diagnostic Imaging Systems Weina Ma and Kamran Sartipi Department of Electrical, Computer and Software Engineering University of Ontario Institute of Technology
More informationAuthentication Context Classes for Levels of Assurance for the Swedish eid Framework
Authentication Context Classes for Levels of Assurance for the Swedish eid Framework Version 1.0 2013-07-01 1 (5) 1 INTRODUCTION 3 2 DEFINED AUTHENTICATION CONTEXT CLASSES 3 2.1 LEVEL OF ASSURANCE LEVEL
More informationIntegrating Security and Usability at Requirement Specification Process
Integrating Security and Usability at Requirement Specification Process Author: Nikhat Parveen 1, Rizwan Beg 2, M. H. Khan 3 1,2 Department of Computer Application, Integral University, Lucknow, India.
More informationA Model for Access Control Management in Distributed Networks
A Model for Access Control Management in Distributed Networks Master of Science Thesis Azadeh Bararsani Supervisor/Examiner: Dr. Johan Montelius Royal Institute of Technology (KTH), Stockholm, Sweden,
More informationUsing XACML and SAML for Authorisation messaging and assertions: XACML and SAML standards overview and usage examples
Using XACML and SAML for Authorisation messaging and assertions: XACML and SAML standards overview and usage examples Draft version 0.2. - March 28, 2005 Yuri Demchenko Abstracts
More informationSecuring Web Services With SAML
Carl A. Foster CS-5260 Research Project Securing Web Services With SAML Contents 1.0 Introduction... 2 2.0 What is SAML?... 2 3.0 History of SAML... 3 4.0 The Anatomy of SAML 2.0... 3 4.0.1- Assertion
More informationThis Working Paper provides an introduction to the web services security standards.
International Civil Aviation Organization ATNICG WG/8-WP/12 AERONAUTICAL TELECOMMUNICATION NETWORK IMPLEMENTATION COORDINATION GROUP EIGHTH WORKING GROUP MEETING (ATNICG WG/8) Christchurch New Zealand
More informationCS 356 Lecture 28 Internet Authentication. Spring 2013
CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationSecure Semantic Web Service Using SAML
Secure Semantic Web Service Using SAML JOO-YOUNG LEE and KI-YOUNG MOON Information Security Department Electronics and Telecommunications Research Institute 161 Gajeong-dong, Yuseong-gu, Daejeon KOREA
More informationA Delegation Framework for Federated Identity Management
A Framework for Federated Identity Management Hidehito Gomi, Makoto Hatakeyama, Shigeru Hosono and Satoru Fujita NEC Internet Systems Research Laboratories 1753, Shimonumabe, Nakahara-Ku, Kawasaki, Kanagawa
More informationManisha R. Patil. Keywords Cloud service provider, Identity Provider, Enhanced Client Profile, Identity Management, Privacy, Trust Manager.
Volume 4, Issue 7, July 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Privacy and Dynamic
More informationSingle Sign-On Implementation Guide
Version 27.0: Spring 13 Single Sign-On Implementation Guide Last updated: February 1, 2013 Copyright 2000 2013 salesforce.com, inc. All rights reserved. Salesforce.com is a registered trademark of salesforce.com,
More informationIntroduction to Service Oriented Architectures (SOA)
Introduction to Service Oriented Architectures (SOA) Responsible Institutions: ETHZ (Concept) ETHZ (Overall) ETHZ (Revision) http://www.eu-orchestra.org - Version from: 26.10.2007 1 Content 1. Introduction
More informationSingle Sign-On Implementation Guide
Salesforce.com: Salesforce Winter '09 Single Sign-On Implementation Guide Copyright 2000-2008 salesforce.com, inc. All rights reserved. Salesforce.com and the no software logo are registered trademarks,
More informationUSING FEDERATED AUTHENTICATION WITH M-FILES
M-FILES CORPORATION USING FEDERATED AUTHENTICATION WITH M-FILES VERSION 1.0 Abstract This article provides an overview of federated identity management and an introduction on using federated authentication
More information2 Transport-level and Message-level Security
Globus Toolkit Version 4 Grid Security Infrastructure: A Standards Perspective The Globus Security Team 1 Version 4 updated September 12, 2005 Abstract This document provides an overview of the Grid Security
More informationIntroduction to SAML
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
More information6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING
6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information
More informationEvaluation of different Open Source Identity management Systems
Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems
More informationWhite Paper The Identity & Access Management (R)evolution
White Paper The Identity & Access Management (R)evolution Federation and Attribute Based Access Control Page 2 A New Perspective on Identity & Access Management Executive Summary Identity & Access Management
More informationAccess Control of Cloud Service Based on UCON
Access Control of Cloud Service Based on UCON Chen Danwei, Huang Xiuli, and Ren Xunyi Nanjing University of posts & Telecommunications, New Model Street No.66, 210003, Nanjing, China chendw@njupt.edu.cn,
More informationDigital Signing without the Headaches
Digital Signing without the Headaches Nick Pope 1 Juan Carlos Cruellas 2 1 Security & Standards Associates Grays, Essex, United Kingdom nickpope@secstan.com 2 Universitat Politècnica de Catalunya Barcelona,
More informationArchitecture Guidelines Application Security
Executive Summary These guidelines describe best practice for application security for 2 or 3 tier web-based applications. It covers the use of common security mechanisms including Authentication, Authorisation
More informationTwo patterns for web services security
Two patterns for web services security Eduardo B. Fernandez Dept. of Computer Science and Engineering Florida Atlantic University Boca Raton, FL 3343, USA Abstract Patterns are widely used in software
More informationAccess Control. Dr George Danezis (g.danezis@ucl.ac.uk)
Access Control Dr George Danezis (g.danezis@ucl.ac.uk) Resources Key paper: Carl E. Landwehr: Formal Models for Computer Security. ACM Comput. Surv. 13(3): 247-278 (1981) See references to other optional
More informationRevocation in the privilege calculus
Revocation in the privilege calculus Babak Sadighi Firozabadi 1 and Marek Sergot 2 1 Swedish Institute of Computer Science (SICS) babak@sics.se 2 Imperial College of Science, Technology and Medicine mjs@doc.ic.ac.uk
More informationOn the general structure of ontologies of instructional models
On the general structure of ontologies of instructional models Miguel-Angel Sicilia Information Engineering Research Unit Computer Science Dept., University of Alcalá Ctra. Barcelona km. 33.6 28871 Alcalá
More informationIdentity, Privacy, and Data Protection in the Cloud XACML. David Brossard Product Manager, Axiomatics
Identity, Privacy, and Data Protection in the Cloud XACML David Brossard Product Manager, Axiomatics 1 What you will learn The issue with authorization in the cloud Quick background on XACML 3 strategies
More informationXML Signatures in an Enterprise Service Bus Environment
XML Signatures in an Enterprise Bus Environment Eckehard Hermann Research & Development XML Integration Uhlandstraße 12 64297 Darmstadt, Germany Eckehard.Hermann@softwareag.com Dieter Kessler Research
More informationUsable Security: Oxymoron or Challenge?
Usable Security: Oxymoron or Challenge? D. K. Smetters Computing Science Laboratory Palo Alto Research Center Security is rapidly emerging as one of the greatest challenges of our modern, computercentric
More informationOpen Data Center Alliance Usage: Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0
sm Open Data Center Alliance Usage: Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0 Table of Contents Legal Notice... 3 Executive Summary... 4 Related Usage Models... 5 Reference Framework...
More informationIdentity Assurance Hub Service SAML 2.0 Profile v1.2a
1 2 3 4 Identity Assurance Hub Service SAML 2.0 Profile v1.2a Identity Assurance Programme, 07 August 2015 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Document identifier: IDAP/HubService/Profiles/SAML Editors:
More informationManagement of Exceptions on Access Control Policies
Management of Exceptions on Access Control Policies J. G. Alfaro 1,2, F. Cuppens 1, and N. Cuppens-Boulahia 1 1 GET/ENST-Bretagne, 35576 Cesson Sévigné - France, {frederic.cuppens,nora.cuppens}@enst-bretagne.fr
More informationA Service Oriented Security Reference Architecture
International Journal of Advanced Computer Science and Information Technology (IJACSIT) Vol. 1, No.1, October 2012, Page: 25-31, ISSN: 2296-1739 Helvetic Editions LTD, Switzerland www.elvedit.com A Service
More informationIdentity Management Challenges for Intercloud Applications
Identity Management Challenges for Intercloud Applications David Núñez 1, Isaac Agudo 1, Prokopios Drogkaris 2 and Stefanos Gritzalis 2 1 Department of Computer Science, E.T.S. de Ingeniería Informática,
More informationIntroducing Shibboleth
workshop Introducing Shibboleth MPG-AAI Workshop Clarin Centers Prague 2009 2009-11-06 MPG-AAI MPG-AAI a MPG-wide Authentication & Authorization Infrastructure for access control to web-based resources
More informationXACML and Access Management. A Business Case for Fine-Grained Authorization and Centralized Policy Management
A Business Case for Fine-Grained Authorization and Centralized Policy Management Dissolving Infrastructures A recent Roundtable with CIOs from a dozen multinational companies concurred that Identity &
More informationInformation Security Basic Concepts
Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,
More informationCopyright 2012, Oracle and/or its affiliates. All rights reserved.
1 OTM and SOA Mark Hagan Principal Software Engineer Oracle Product Development Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures 3 PARADIGM 4 Content What is SOA?
More informationM.S. Computer Science Program
M.S. Computer Science Program Pre-requisite Courses The following courses may be challenged by sitting for the placement examination. CSC 500: Discrete Structures (3 credits) Mathematics needed for Computer
More informationChapter 23. Database Security. Security Issues. Database Security
Chapter 23 Database Security Security Issues Legal and ethical issues Policy issues System-related issues The need to identify multiple security levels 2 Database Security A DBMS typically includes a database
More informationA Semantic Approach for Access Control in Web Services
A Semantic Approach for Access Control in Web Services M. I. Yagüe, J. Mª Troya Computer Science Department, University of Málaga, Málaga, Spain {yague, troya}@lcc.uma.es Abstract One of the most important
More informationWeb Services Security Standards Forum. Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc.
Web Services Security Standards Forum Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc. Web Services Security Standards For Um For um: Meeting to tell people that everyone agrees on an issue Walk the
More informationWeb Service Authorization Framework
Web Service Authorization Framework Thomas Ziebermayr, Stefan Probst Software Competence Center Hagenberg, Hauptstrasse 99, 4232 Hagenberg, Austria thomas.ziebermayr@scch.at, stefan.probst@scch.at Abstract
More information2. Preliminaries. 2.1. Moving from Context to Context Views. 2.2. Building Services using Context Views. 2.3. Where does security fit in?
Enabling Secure Ad-hoc Communication using Context-Aware Security Services Extended Abstract 1. Introduction Narendar Shankar University of Maryland narendar@cs.umd.edu It is a stated goal of the ubiquitous
More informationA Simple Implementation and Performance Evaluation Extended-Role Based Access Control
A Simple Implementation and Performance Evaluation Extended-Role Based Access Control Wook Shin and Hong Kook Kim Dept. of Information and Communications, Gwangju Institute of Science and Technology, 1
More informationThis chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:
CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access
More informationFederated Identity Management Solutions
Federated Identity Management Solutions Jyri Kallela Helsinki University of Technology jkallela@cc.hut.fi Abstract Federated identity management allows users to access multiple services based on a single
More informationIntroducing Federated Identities to One-Stop-Shop e-government Environments: The Greek Case
echallenges e-2009 Conference Proceedings Paul Cunningham and Miriam Cunningham (Eds) IIMC International Information Management Corporation, 2009 ISBN: 978-1-905824-13-7 Introducing Federated Identities
More informationServer based signature service. Overview
1(11) Server based signature service Overview Based on federated identity Swedish e-identification infrastructure 2(11) Table of contents 1 INTRODUCTION... 3 2 FUNCTIONAL... 4 3 SIGN SUPPORT SERVICE...
More informationGENERIC SECURITY FRAMEWORK FOR CLOUD COMPUTING USING CRYPTONET
http:// GENERIC SECURITY FRAMEWORK FOR CLOUD COMPUTING USING CRYPTONET Manisha Dawra 1, Ramdev Singh 2 1 Al-Falah School of Engg. & Tech., Vill-Dhauj, Ballabgarh-Sohna Road, Faridabad, Haryana (INDIA)-121004
More informationA FRAMEWORK TO DESIGN SECURE EMAIL SERVICE IN THE CLOUD
http:// A FRAMEWORK TO DESIGN SECURE EMAIL SERVICE IN THE CLOUD Midasala Anusha Rani 1, Paparao Rapuri 2, Betam Suresh 3 1 Pursuing M.Tech(CSE), 2 Asst. Professor in Department of CSE, 3 HOD Vikas Group
More informatione-gov Architecture Architectural Blueprint
Introduction 2 4 Introduction...4 Service Oriented Architecture...4 Security...6 Authentication 8 Authorization 10 Integration... 11 Service Bus 12 Orchestration 13 Discovery... 15 Monitoring... 17 Auditing
More informationSPML (Service Provisioning Markup Language) and the Importance of it within the Security Infrastructure Framework for ebusiness
Interoperability Summit 2002 SPML (Service Provisioning Markup Language) and the Importance of it within the Security Infrastructure Framework for ebusiness Gavenraj Sodhi Senior Technology Analyst Provisioning
More informationDIGITAL RIGHTS MANAGEMENT SYSTEM FOR MULTIMEDIA FILES
DIGITAL RIGHTS MANAGEMENT SYSTEM FOR MULTIMEDIA FILES Saiprasad Dhumal * Prof. K.K. Joshi Prof Sowmiya Raksha VJTI, Mumbai. VJTI, Mumbai VJTI, Mumbai. Abstract piracy of digital content is a one of the
More informationCertificate Management in Ad Hoc Networks
Certificate Management in Ad Hoc Networks Matei Ciobanu Morogan, Sead Muftic Department of Computer Science, Royal Institute of Technology [matei, sead] @ dsv.su.se Abstract Various types of certificates
More informationCHAPTER - 3 WEB APPLICATION AND SECURITY
CHAPTER - 3 WEB APPLICATION AND SECURITY 3.1 Introduction Web application or Wepapp is the general term that is normally used to refer to all distributed web-based applications. According to the more technical
More informationSchichtenübergreifendes Identitätsmanagement zwischen HIP und SAML
Schichtenübergreifendes Identitätsmanagement zwischen HIP und SAML Ein Architekturkonzept Supported by the SWIFT project www.ist-swift.org Marc Barisch, Alfredo Matos marc.barisch@ikr.uni-stuttgart.de,
More informationNational Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0
National Identity Exchange Federation Web Browser User-to-System Profile Version 1.0 August 18, 2014 Table of Contents TABLE OF CONTENTS 1 1. TARGET AUDIENCE AND PURPOSE 2 2. TERMINOLOGY 2 3. REFERENCES
More informationMulti-Level Secure Architecture for Distributed Integrated Web Services
Multi-Level Secure Architecture for Distributed Integrated Web s J.G.R.Sathiaseelan Bishop Heber College (Autonomous) Tiruchirappalli 620 017, India jgrsathiaseelan@gmail.com S.Albert Rabara St Joseph
More informationNIST s Guide to Secure Web Services
NIST s Guide to Secure Web Services Presented by Gaspar Modelo-Howard and Ratsameetip Wita Secure and Dependable Web Services National Institute of Standards and Technology. Special Publication 800-95:
More informationRun-time Service Oriented Architecture (SOA) V 0.1
Run-time Service Oriented Architecture (SOA) V 0.1 July 2005 Table of Contents 1.0 INTRODUCTION... 1 2.0 PRINCIPLES... 1 3.0 FERA REFERENCE ARCHITECTURE... 2 4.0 SOA RUN-TIME ARCHITECTURE...4 4.1 FEDERATES...
More informationACAPS An Access Control Mechanism to Protect the Components of an Attack Prevention System
ACAPS An Access Control Mechanism to Protect the Components of an Attack Prevention System Joaquín García, Sergio Castillo, Guillermo Navarro, Joan Borrell {jgarcia,scastillo,gnavarro,jborrell}@deic.uab.es
More informationAAA for IMOS: Australian Access Federation & related components
AAA for IMOS: Australian Access Federation & related components James Dalziel Professor of Learning Technology, and Director, Macquarie E-Learning Centre Of Excellence (MELCOE) Macquarie University james@melcoe.mq.edu.au
More informationFederation Proxy for Cross Domain Identity Federation
Proxy for Cross Domain Identity Makoto Hatakeyama NEC Corporation, Common Platform Software Res. Lab. 1753, Shimonumabe, Nakahara-Ku, Kawasaki, Kanagawa 211-8666, Japan +81-44-431-7663 m-hatake@ax.jp.nec.com
More informationModule 7 Security CS655! 7-1!
Module 7 Security CS655! 7-1! Issues Separation of! Security policies! Precise definition of which entities in the system can take what actions! Security mechanism! Means of enforcing that policy! Distributed
More informationIS TEST 3 - TIPS FOUR (4) levels of detective controls offered by intrusion detection system (IDS) methodologies. First layer is typically responsible for monitoring the network and network devices. NIDS
More informationFRACTAL SYSTEM & PROJECT SUITE: ENGINEERING TOOLS FOR IMPROVING DEVELOPMENT AND OPERATION OF THE SYSTEMS. (Spain); ABSTRACT 1.
FRACTAL SYSTEM & PROJECT SUITE: ENGINEERING TOOLS FOR IMPROVING DEVELOPMENT AND OPERATION OF THE SYSTEMS A. Pérez-Calpena a, E. Mujica-Alvarez, J. Osinde-Lopez a, M. García-Vargas a a FRACTAL SLNE. C/
More informationA Conceptual Technique for Modelling Security as a Service in Service Oriented Distributed Systems
Volume 1, Number 2, December 2014 JOURNAL OF COMPUTER SCIENCE AND SOFTWARE APPLICATION A Conceptual Technique for Modelling Security as a Service in Service Oriented Distributed Systems Satish Kumar*,
More informationIDENTITY MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region
IDENTITY MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationSAML application scripting guide
Chapter 151 SAML application scripting guide You can use the generic SAML application template (described in Creating a custom SAML application profile) to add a SAML-enabled web application to the app
More informationData Integrity for Secure Dynamic Cloud Storage System Using TPA
International Journal of Electronic and Electrical Engineering. ISSN 0974-2174, Volume 7, Number 1 (2014), pp. 7-12 International Research Publication House http://www.irphouse.com Data Integrity for Secure
More informationWhite Paper. Authentication and Access Control - The Cornerstone of Information Security. Vinay Purohit September 2007. Trianz 2008 White Paper Page 1
White Paper Authentication and Access Control - The Cornerstone of Information Security Vinay Purohit September 2007 Trianz 2008 White Paper Page 1 Table of Contents 1 Scope and Objective --------------------------------------------------------------------------------------------------------
More informationA Secure & Efficient Data Integrity Model to establish trust in cloud computing using TPA
A Secure & Efficient Data Integrity Model to establish trust in cloud computing using TPA Mr.Mahesh S.Giri Department of Computer Science & Engineering Technocrats Institute of Technology Bhopal, India
More informationIdentity Management im Liberty Alliance Project
Rheinisch-Westfälische Technische Hochschule Aachen Lehrstuhl für Informatik IV Prof. Dr. rer. nat. Otto Spaniol Identity Management im Liberty Alliance Project Seminar: Datenkommunikation und verteilte
More informationWeb Services Trust and XML Security Standards
Web Services Trust and XML Security Standards Date: April 9, 2001 Version: 1.0 Copyright 2001-2003 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States
More informationMoving from Security to Distributed Trust in Ubiquitous Computing Environments
Moving from Security to Distributed Trust in Ubiquitous Computing Environments Lalana Kagal, Tim Finin and Anupam Joshi University of Maryland Baltimore County email : lkagal1,finin,ajoshi@cs.umbc.edu
More informationOriginator Control in Usage Control *
Originator Control in Usage Control * Jaehong Park Laboratory for Information Security Technology ISE Department, MS4A4 George Mason University, Fairfax, VA 22030 jaehpark@ise.gmu.edu, www.list.gmu.edu/park
More informationUSING SAML TO LINK THE GLOBUS TOOLKIT TO THE PERMIS AUTHORISATION INFRASTRUCTURE
USING SAML TO LINK THE GLOBUS TOOLKIT TO THE PERMIS AUTHORISATION INFRASTRUCTURE Authors David Chadwick 1, Sassa Otenko 1, Von Welch 2 Affiliation 1 ISI, University of Salford, Salford, M5 4WT, England.
More informationSAML basics A technical introduction to the Security Assertion Markup Language
SAML basics A technical introduction to the Security Assertion Markup Language WWW2002 Eve Maler, XML Standards Architect XML Technology Center Sun Microsystems, Inc. Agenda The problem space SAML concepts
More informationOASIS Standard Digital Signature Services (DSS) Assures Authenticity of Data for Web Services
www.oasis-open.org OASIS Standard Digital Signature Services (DSS) Assures Authenticity of Data for Web Services Juan Carlos Cruellas UPC Spain Nick Pope Thales esecurity (Co-Chairs Chairs DSS Technical
More informationLecture 10 - Authentication
Lecture 10 - Authentication CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Kerberos: What to know 1) Alice T rent : {Alice + Bob
More information